orcus | 9d053e2bc0db1f6af6c3a840fc3004b31a4be7f8b807e703a502dce3bb8f7d3e | Triage

Sharing

General

Target

9d053e2bc0db1f6af6c3a840fc3004b31a4be7f8b807e703a502dce3bb8f7d3e
Size

924KB
MD5

a7fe2256e4b0da68f7b1f004576b210b
SHA1

21e736033e137d90b13c33a492095daf1bbf7ab8
SHA256

9d053e2bc0db1f6af6c3a840fc3004b31a4be7f8b807e703a502dce3bb8f7d3e
SHA512

c0b52b4de0b82302fed5f0eaa7e596f8fa656d1872516f1110ac0b29d7a96dc3afc437cd161f58c48da4f9277fb2dbcb1680f4edf0f468cf11e5e64b6ba8680e
SSDEEP

24576:SGq4MROxnFE33O3urrcI0AilFEvxHPjooz:SuMiuMurrcI0AilFEvxHP

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

194.226.169.3:1337

Mutex

616472cdd55f4e95988997971c371b81

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\svchost.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
9d053e2bc0db1f6af6c3a840fc3004b31a4be7f8b807e703a502dce3bb8f7d3e

Files

9d053e2bc0db1f6af6c3a840fc3004b31a4be7f8b807e703a502dce3bb8f7d3e
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 921KB - Virtual size: 921KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ